CentOS 6.5 snort インストール

使う用事ができたのでインストールして簡単なルールを書いて動作確認してみる。

$ uname -a
Linux localhost.localdomain 2.6.32-431.11.2.el6.x86_64 #1 SMP Tue Mar 25 19:59:55 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

$ cat /etc/centos-release
CentOS release 6.5 (Final)
$ yum info snort
Name        : snort
Arch        : x86_64
Epoch       : 1
Version     : 2.9.6.1
Release     : 1
Size        : 15 M
Repo        : installed
Summary     : An open source Network Intrusion Detection System (NIDS)
URL         : http://www.snort.org/
License     : GPL
Description : Snort is an open source network intrusion detection system, capable of
            : performing real-time traffic analysis and packet logging on IP networks.
            : It can perform protocol analysis, content searching/matching and can be
            : used to detect a variety of attacks and probes, such as buffer overflows,
            : stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts,
            : and much more.
            :
            : Snort has three primary uses. It can be used as a straight packet sniffer
            : like tcpdump(1), a packet logger (useful for network traffic debugging,
            : etc), or as a full blown network intrusion detection system.
            :
            : You MUST edit /etc/snort/snort.conf to configure snort before it will work!
            :
            : There are 5 different packages available. All of them require the base
            : snort rpm (this one). Additionally, you may need to chose a different
            : binary to install if you want database support.
            :
            : If you install a different binary package /usr/sbin/snort should end up
            : being a symlink to a binary in one of the following configurations:
            :
            :         plain                Snort (this package, required)
            :
            : Please see the documentation in /usr/share/doc/snort-2.9.6.1 for more
            : information on snort features and configuration.
$ yum info daq
Name        : daq
Arch        : x86_64
Version     : 2.0.2
Release     : 1
Size        : 961 k
Repo        : installed
Summary     : Data Acquisition Library
URL         : http://www.snort.org/
License     : GNU General Public License
Description : Data Acquisition library for Snort.
Name        : libdnet
Arch        : x86_64
Version     : 1.12
Release     : 6.el6
Size        : 65 k
Repo        : installed
From repo   : epel
Summary     : Simple portable interface to lowlevel networking routines
URL         : http://code.google.com/p/libdnet/
License     : BSD
Description : libdnet provides a simplified, portable interface to several
            : low-level networking routines, including network address
            : manipulation, kernel arp(4) cache and route(4) table lookup and
            : manipulation, network firewalling (IP filter, ipfw, ipchains,
            : pf, ...), network interface lookup and manipulation, raw IP
            : packet and Ethernet frame, and data transmission.

rpmbuild

snort本家のCentOS用のRPMがうまくインストールできなかったので、snort本家が配布しているSRPMをrebuildした。

% yum install rpm-build rpmdevtools
$ rpmdev-setuptree
$ curl -o snort-2.9.6.1-1.src.rpm -O -L http://www.snort.org/downloads/2909
$ curl -o daq-2.0.2-1.src.rpm -O -L http://www.snort.org/downloads/2900

daq

% yum install flex bison
$ rpmbuild --rebuild daq-2.0.2-1.src.rpm
% rpm -ivh rpmbuild/RPMS/x86_64/daq-2.0.2-1.x86_64.rpm

snort

% rpm -ivh http://ftp.jaist.ac.jp/pub/Linux/Fedora/epel/6/x86_64/epel-release-6-8.noarch.rpm
% yum-config-manager --disable epel

% yum --enablerepo=epel install libdnet-devel
% yum install autoconf automake pcre-devel libpcap-devel gcc openssl-devel

$ rpmbuild --rebuild snort-2.9.6.1-1.src.rpm
% rpm -ivh rpmbuild/RPMS/x86_64/snort-2.9.6.1-1.x86_64.rpm

snort 設定

$ diff -u snort.conf.org snort.conf
--- snort.conf.org	2014-05-04 23:52:08.958045878 +0900
+++ snort.conf	2014-05-05 20:00:07.720036619 +0900
@@ -246,7 +246,7 @@
 dynamicengine /usr/lib64/snort-2.9.6.1_dynamicengine/libsf_engine.so
 
 # path to dynamic rules libraries
-dynamicdetection directory /usr/local/lib/snort_dynamicrules
+#dynamicdetection directory /usr/local/lib/snort_dynamicrules
 
 ###################################################
 # Step #5: Configure preprocessors
@@ -499,12 +499,12 @@
    check_crc
 
 # Reputation preprocessor. For more information see README.reputation
-preprocessor reputation: \
-   memcap 500, \
-   priority whitelist, \
-   nested_ip inner, \
-   whitelist $WHITE_LIST_PATH/white_list.rules, \
-   blacklist $BLACK_LIST_PATH/black_list.rules 
+#preprocessor reputation: \
+#   memcap 500, \
+#   priority whitelist, \
+#   nested_ip inner, \
+#   whitelist $WHITE_LIST_PATH/white_list.rules, \
+#   blacklist $BLACK_LIST_PATH/black_list.rules 
 
 ###################################################
 # Step #6: Configure output plugins
@@ -538,123 +538,7 @@
 ###################################################
 
 # site specific rules
-include $RULE_PATH/local.rules
-
-include $RULE_PATH/app-detect.rules
-include $RULE_PATH/attack-responses.rules
-include $RULE_PATH/backdoor.rules
-include $RULE_PATH/bad-traffic.rules
-include $RULE_PATH/blacklist.rules
-include $RULE_PATH/botnet-cnc.rules
-include $RULE_PATH/browser-chrome.rules
-include $RULE_PATH/browser-firefox.rules
-include $RULE_PATH/browser-ie.rules
-include $RULE_PATH/browser-other.rules
-include $RULE_PATH/browser-plugins.rules
-include $RULE_PATH/browser-webkit.rules
-include $RULE_PATH/chat.rules
-include $RULE_PATH/content-replace.rules
-include $RULE_PATH/ddos.rules
-include $RULE_PATH/dns.rules
-include $RULE_PATH/dos.rules
-include $RULE_PATH/experimental.rules
-include $RULE_PATH/exploit-kit.rules
-include $RULE_PATH/exploit.rules
-include $RULE_PATH/file-executable.rules
-include $RULE_PATH/file-flash.rules
-include $RULE_PATH/file-identify.rules
-include $RULE_PATH/file-image.rules
-include $RULE_PATH/file-java.rules
-include $RULE_PATH/file-multimedia.rules
-include $RULE_PATH/file-office.rules
-include $RULE_PATH/file-other.rules
-include $RULE_PATH/file-pdf.rules
-include $RULE_PATH/finger.rules
-include $RULE_PATH/ftp.rules
-include $RULE_PATH/icmp-info.rules
 include $RULE_PATH/icmp.rules
-include $RULE_PATH/imap.rules
-include $RULE_PATH/indicator-compromise.rules
-include $RULE_PATH/indicator-obfuscation.rules
-include $RULE_PATH/indicator-scan.rules
-include $RULE_PATH/indicator-shellcode.rules
-include $RULE_PATH/info.rules
-include $RULE_PATH/malware-backdoor.rules
-include $RULE_PATH/malware-cnc.rules
-include $RULE_PATH/malware-other.rules
-include $RULE_PATH/malware-tools.rules
-include $RULE_PATH/misc.rules
-include $RULE_PATH/multimedia.rules
-include $RULE_PATH/mysql.rules
-include $RULE_PATH/netbios.rules
-include $RULE_PATH/nntp.rules
-include $RULE_PATH/oracle.rules
-include $RULE_PATH/os-linux.rules
-include $RULE_PATH/os-mobile.rules
-include $RULE_PATH/os-other.rules
-include $RULE_PATH/os-solaris.rules
-include $RULE_PATH/os-windows.rules
-include $RULE_PATH/other-ids.rules
-include $RULE_PATH/p2p.rules
-include $RULE_PATH/phishing-spam.rules
-include $RULE_PATH/policy-multimedia.rules
-include $RULE_PATH/policy-other.rules
-include $RULE_PATH/policy.rules
-include $RULE_PATH/policy-social.rules
-include $RULE_PATH/policy-spam.rules
-include $RULE_PATH/pop2.rules
-include $RULE_PATH/pop3.rules
-include $RULE_PATH/protocol-dns.rules
-include $RULE_PATH/protocol-finger.rules
-include $RULE_PATH/protocol-ftp.rules
-include $RULE_PATH/protocol-icmp.rules
-include $RULE_PATH/protocol-imap.rules
-include $RULE_PATH/protocol-nntp.rules
-include $RULE_PATH/protocol-pop.rules
-include $RULE_PATH/protocol-rpc.rules
-include $RULE_PATH/protocol-scada.rules
-include $RULE_PATH/protocol-services.rules
-include $RULE_PATH/protocol-snmp.rules
-include $RULE_PATH/protocol-telnet.rules
-include $RULE_PATH/protocol-tftp.rules
-include $RULE_PATH/protocol-voip.rules
-include $RULE_PATH/pua-adware.rules
-include $RULE_PATH/pua-other.rules
-include $RULE_PATH/pua-p2p.rules
-include $RULE_PATH/pua-toolbars.rules
-include $RULE_PATH/rpc.rules
-include $RULE_PATH/rservices.rules
-include $RULE_PATH/scada.rules
-include $RULE_PATH/scan.rules
-include $RULE_PATH/server-apache.rules
-include $RULE_PATH/server-iis.rules
-include $RULE_PATH/server-mail.rules
-include $RULE_PATH/server-mssql.rules
-include $RULE_PATH/server-mysql.rules
-include $RULE_PATH/server-oracle.rules
-include $RULE_PATH/server-other.rules
-include $RULE_PATH/server-samba.rules
-include $RULE_PATH/server-webapp.rules
-include $RULE_PATH/shellcode.rules
-include $RULE_PATH/smtp.rules
-include $RULE_PATH/snmp.rules
-include $RULE_PATH/specific-threats.rules
-include $RULE_PATH/spyware-put.rules
-include $RULE_PATH/sql.rules
-include $RULE_PATH/telnet.rules
-include $RULE_PATH/tftp.rules
-include $RULE_PATH/virus.rules
-include $RULE_PATH/voip.rules
-include $RULE_PATH/web-activex.rules
-include $RULE_PATH/web-attacks.rules
-include $RULE_PATH/web-cgi.rules
-include $RULE_PATH/web-client.rules
-include $RULE_PATH/web-coldfusion.rules
-include $RULE_PATH/web-frontpage.rules
-include $RULE_PATH/web-iis.rules
-include $RULE_PATH/web-misc.rules
-include $RULE_PATH/web-php.rules
-include $RULE_PATH/x11.rules
 
 ###################################################
 # Step #8: Customize your preprocessor and decoder alerts
$ vi /etc/snort/rules/icmp.rules
alert icmp any any -> any any
% service snortd start

pingを送受信したときにアラートを掃くルールを書いて、/var/log/snort/alertにアラートが吐かれることを確認した。